PCI Compliance = Poor Security

Wired‘s recent article on “The 10 Biggest Bank Card Hacks” discussed the role of PCI Compliance. PCI is the Payment Card Industry security standard introduced in 2005. Even though the companies involved in these breaches were “certified PCI compliant”, multiple times, the breaches still occurred. How could that happen?

PCI is a very poor standard.

Back in 2005/2006 time frame, IWL had just completed a beautiful new online store. Then our bank informed us that if we did not make our online store PCI compliant, the bank would impose a penalty each month for non-compliance.

We obtained a copy of the PCI standard.

We were stunned to learn that the PCI standard was written for Windows servers. The PCI standard assumed that each online store utilized a Windows server instead of maintaining an operating system neutral stance as a standard should. However, 70% of all the web servers in existence are LAMP (Linux, Apache, MySQL, and PHP). In other words, not Windows! We contacted the bank and asked if this was joke? How could they insist on a standard that applied to only 30% of the market? In a roundabout way, the bank hemmed and hawed and said well they, along with the other banks, had outsourced the creation of the standard and could not really answer questions about it.

The bank referred us to a representative from the outsourcing organization. We telephoned him. When we pointed out our concerns with the standard, he became very hostile. (In our opinion, hostility is the first refuge of the incompetent when confronted with their incompetence.) The conversation was fruitless.

Next we talked to web development companies who created online stores to learn how they were handling the problem. One of them said that PCI compliance was simply an invention by the banking/credit card community to impose a fee on online stores. He said his company was simply paying the fee and ignoring PCI compliance. Other web developers hemmed and hawed as they had not figured out what to do. Certainly the outsourcing organization had not solicited input from the web development community.

IWL considered its options. We were not going to start over with a Windows-based web server. We were not going to pay large sums of money to become certified as PCI compliant. We decided to outsource the online store.

In 2006 we found a company that had a system for creating and hosting an online store that claimed to be PCI compliant. We moved our beautiful online store to the adequate and mediocre one provided by the outsourcing organization. Over time, we came to realize that the outsourced store was probably not PCI compliant. Why not? As a user browsed through the online store, the https connection dropped and the connection reverted to http (without the “s”)! This caused us to question the utility and soundness of the PCI compliance certification.

We shopped around for online stores again and signed up with a new one that seemed to have better systems, processes, and methods for monitoring and assuring security. Yes it was also “PCI compliant”. However, we were more impressed with the systems, processes and methods, not “PCI compliance”. The only sensible approach to preventing credit card fraud is to find a great team of people incorporating best practices, monitoring activity, etc. Over reliance on a PCI badge does not guarantee security.